AI girlfriend apps expose millions of private chats and images in massive data leak

Two popular artificial intelligence companion apps, “Chattee Chat” and “GiMe Chat,” have exposed millions of intimate messages, images, and videos belonging to more than 400,000 users after researchers discovered an unsecured data streaming system used by the apps’ developer.

Cybersecurity researchers at Cybernews reported finding the leak on August 28, 2025, within an unprotected Kafka Broker instance used by Hong Kong-based software developer Imagime Interactive Limited. The exposed system streamed private conversations between users and AI companions in real time, along with links to personal photos and AI-generated media.

The exposed data included more than 43 million user messages and over 600,000 images and videos. While no direct identifiers such as names or emails were found, the leak contained IP addresses and unique device identifiers that could potentially be linked to individuals through other breaches. Researchers warned that this information could be used for harassment, blackmail, or other forms of online abuse.

“There was virtually no content that could be considered safe for work,” Cybernews said. “This troubling leak highlights a huge gap between the complete trust users place in these apps and the security negligence of the developers.”

According to Cybernews, anyone with the link could connect to the content delivery network and view users’ communications, uploaded files, and AI-generated media. No authentication or access controls were in place.

Imagime Interactive, which operates both Chattee Chat and GiMe Chat on Android and iOS, claims in its privacy policy that it “attaches great importance” to protecting user data and employs “a high degree of prudence” in handling personal information. However, researchers said the exposed server directly contradicted those assurances.

At the time of discovery, Chattee Chat ranked as the No. 121 Entertainment app on the Apple App Store, with more than 300,000 downloads and hundreds of positive reviews, mostly from U.S. users. The second app, GiMe Chat, was significantly less popular. The leaked registration data showed that roughly two-thirds of affected users were on iOS devices.

During the investigation, Chattee Chat was delisted from the Google Play Store, and the developer began directing Android users to download the app via sideloaded APKs instead of official channels.

Cybernews also discovered in-app purchase records indicating that some users had spent as much as $18,000 on in-app currency, while overall revenues from the apps likely exceeded $1 million. The leak additionally exposed authentication tokens, potentially allowing hackers to hijack user accounts, though the practical value of doing so may be limited.

While the developer did not respond to Cybernews’ requests for comment, the exposed instance was secured after responsible disclosure. The timeline of the incident shows the leak was discovered on August 29, disclosed to the developer on September 5, reported to CERT on September 15, and closed by September 19.

It remains unclear whether malicious actors accessed the exposed data. The server was already indexed by major Internet of Things search engines, which means it could have been easily found by hackers scanning for vulnerable systems.